The latest articles on DEV Community by Robin Thomas (@robinthomas_30). https://dev.to/robinthomas_30 https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F1140673%2Fdb8340b7-db0b-4691-8564-97113d83adf6.jpeg https://dev.to/robinthomas_30 en Robin Thomas Sun, 17 Sep 2023 23:26:57 +0000 https://dev.to/robinthomas_30/using-secrets-in-serverless-50hf https://dev.to/robinthomas_30/using-secrets-in-serverless-50hf <h2> Introduction </h2> <p>All you need to do is to create a <code>serverless.yml</code> file, with some default configurations, and a deployment user all set up, and you shall be deploying in no time.</p> <p>Now imagine that you need to store credentials like MySQL user and password.</p> <p>You can store them in <code>.env.*</code> files, and serverless can easily export them as environment variables for your AWS lambdas.</p> <p>But should you be doing so?!</p> <p><a href="https://res.cloudinary.com/practicaldev/image/fetch/s--38e6Yxhr--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_800/https://dev-to-uploads.s3.amazonaws.com/uploads/articles/ujovw2heg7ob7mrye8w0.jpg" class="article-body-image-wrapper"><img src="https://res.cloudinary.com/practicaldev/image/fetch/s--38e6Yxhr--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_800/https://dev-to-uploads.s3.amazonaws.com/uploads/articles/ujovw2heg7ob7mrye8w0.jpg" alt="Don't expose your secrets publicly" width="800" height="1200"></a></p> <blockquote> <p>Photo by <a href="https://unsplash.com/@luthermeb">Luther.M.E. Bottrill</a> on <a href="https://unsplash.com/">Unsplash</a></p> </blockquote> <p>NO!!</p> <p>Why is that?!</p> <p>Because that means revealing your secrets in your GitHub repositories (or some other platforms) publicly (<em>if your repo is private/internal, then no issue</em>).</p> <p>You can use GitHub secrets (<em>which are not revealed publicly in your GitHub repositories</em>), but there is no easy integration with serverless. Moreover, if you are already using AWS (with serverless), chances are, you might be using AWS Secrets Manager already.</p> <p><a href="https://res.cloudinary.com/practicaldev/image/fetch/s--t85zslSp--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_800/https://dev-to-uploads.s3.amazonaws.com/uploads/articles/h63v99mseusr6ccswako.jpg" class="article-body-image-wrapper"><img src="https://res.cloudinary.com/practicaldev/image/fetch/s--t85zslSp--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_800/https://dev-to-uploads.s3.amazonaws.com/uploads/articles/h63v99mseusr6ccswako.jpg" alt="AWS Secrets Manager" width="800" height="512"></a></p> <blockquote> <p>Photo by <a href="https://unsplash.com/@tinaflour">Kristina Flour</a> on <a href="https://unsplash.com/">Unsplash</a></p> </blockquote> <h2> Does serverless support this? </h2> <p>Serverless does natively support AWS Secrets Manager in <code>serverless.yml</code> file.</p> <p>You can use a configuration like:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>custom: secret: ${ssm:/path/to/secureparam} </code></pre> </div> <p>So that means you need to define a <code>custom.secret</code> attribute, JSON parse it, and then write all the environment variables (that are used by AWS Lambdas) in <code>serverless.yml</code> file referencing this secret.</p> <p>Seems like a lot of work.</p> <p>Any plugin for this?!</p> <h2> Plugin time </h2> <p>I went through all serverless plugins that had remotely anything to do with AWS Secrets Manager.</p> <p>But I found none that served my use-cases. Which were:</p> <ul> <li>Allows me to integrate directly with environment variables</li> <li>I'm already using <code>.env.*</code> files. I don't want to redefine these variables in serverless.yml</li> <li>I need the plugin to run during all the serverless lifecycle hooks I want</li> <li>I need the secret integration to happen during build stage (and not during runtime)</li> <li>Easily determine the secrets from <code>.env.*</code> files. Can use a prefix search for a keyword like: <code>secret:</code> </li> <li>Works without much plugin configuration</li> </ul> <p>Well, I found none.</p> <p>So I went ahead and decided to create a serverless plugin myself. Plugin time!!</p> <p><a href="https://res.cloudinary.com/practicaldev/image/fetch/s--nU3G1IHl--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_800/https://dev-to-uploads.s3.amazonaws.com/uploads/articles/8wokp861inghvr7zzdn4.jpg" class="article-body-image-wrapper"><img src="https://res.cloudinary.com/practicaldev/image/fetch/s--nU3G1IHl--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_800/https://dev-to-uploads.s3.amazonaws.com/uploads/articles/8wokp861inghvr7zzdn4.jpg" alt="Serverless AWS Secrets plugin" width="800" height="1000"></a></p> <blockquote> <p>Photo by <a href="https://unsplash.com/@techivation">Techivation</a> on <a href="https://unsplash.com/">Unsplash</a></p> </blockquote> <h2> Hello, Plugin! </h2> <p>Without much further ado, here is my plugin: <a href="https://github.com/robin-thomas/serverless-aws-secrets">https://github.com/robin-thomas/serverless-aws-secrets</a></p> <p>Serves all my use-cases, and more. Feedbacks are welcome.</p> <p><strong>Show me some love by starring the project on GitHub!</strong></p> <p><strong>If you like to contribute, take a look at some of the open issues!</strong></p> serverless javascript typescript aws